Using Windows Server in a “Windows container”? Then beware of it, as recently, it has been confirmed that highly sophisticated malware has been active for over a year.
The cybersecurity researchers at Palo Alto Networks Unit 42 have recently discovered a new malware, known as, “Siloscape,” and it uses Windows containers to access Kubernetes clusters.
Since they generally focus on Linux systems, that’s why it goes after the Windows containers that are deemed as unusual. To connect to a C2 server that is used by attackers to control the Siloscape, data filtering, and commands, the malware (Siloscape) uses a Tor proxy and an onion domain.
Through server isolation and un-patched vulnerabilities, Cloudmalware.exe, it’s the malware that targets the Windows containers. After that using the different breakout techniques for Windows containers, Siloscape try to run the RCE on a container’s underlying node.
To steal data from the apps present on the cluster or upload cryptographers, the Siloscape will create malicious containers, but these things will be possible when it will manage to break out and establish itself in a cluster successfully.